Dynamic Routing Policy; Virtual Links Example 2 - D-Link NetDefend DFL-210 User Manual

4.4.3. Dynamic Routing Policy

Figure 4.3. Virtual Links Example 2
The Virtual Link is configured between fw1 and fw2 on Area 1, as it is used as the transit area. In
the configuration only the Router ID have to be configured, as in the example above show fw2 need
to have a Virtual Link to fw1 with the Router ID 192.168.1.1 and vice versa. These VLinks need to
be configured in Area 1.
4.4.2.7. OSPF High Availability Support
There are some limitations in HA support for OSPF that should be noted:
Both the active and the inactive part of an HA cluster will run separate OSPF processes, although
the inactive part will make sure that it is not the preferred choice for routing. The HA master and
slave will not form adjacency with each other and are not allowed to become DR/BDR on broadcast
networks. This is done by forcing the router priority to 0.
For OSPF HA support to work correctly, the firewall needs to have a broadcast interface with at
least ONE neighbor for ALL areas that the firewall is attached to. In essence, the inactive part of the
cluster needs a neighbor to get the link state database from.
It should also be noted that is not possible to put two HA firewalls on the same broadcast network
without any other neighbors (they won't form adjacency with each other because of the router prior-
ity 0). However it, based on scenario, may be possible to setup a point to point link between them
instead. Special care must also be taken when setting up a virtual link to an HA firewall. The end-
point setting up a link to the HA firewall must setup 3 separate links: one to the shared, one the mas-
ter and one to the slave router id of the firewall.
4.4.3. Dynamic Routing Policy
4.4.3.1. Overview
84
Chapter 4. Routing